What is mTLS and How Does it Work?

Benjamin Porter
8 min readApr 30, 2020
Photo by Roman Mager on Unsplash

What is TLS?

Before reaching our goal of understanding mTLS, we need to understand regular TLS. There are tons of resources out there that vary in technical depth. My goal here is familiarization, not mastery (which requires complex understanding of cryptography and various standards like X.509. If you are aiming for mastery, I suggest looking into a course or a fine book. If you are hoping to become familiar with the basic ideas and terminology, look no further!

You have already used TLS hundreds of times today. Any websites you visit with https as the protocol, is making use of TLS. The server has used asymmetric encryption to encrypt your requests (providing confidentiality) and has also proven its identity to you, so that you can be confident that it was actually Google who answered your request on https://www.google.com, and not your malicious neighbor who likes to hack you.

Before we proceed further, let’s briefly talk about SSL and how it relates to TLS (the two are often confused). SSL was the predecessor of TLS and is deprecated. However, you will sometimes see SSL and TLS used interchangeably where technical precision is paramount, or to support legacy implementations (for example Nginx variables often include “ssl” in their name, even though it’s actually TLS being worked on).

As you gain experience, you’ll generally be able to know whether the speaker means SSL or TLS, but until then it’s pretty safe to assume a person means TLS even if they say SSL. If you are discussing older, insecure, unsupported versions, that could be a reference to actual SSL. Generally speaking though, it is likely that TLS is what is meant.

How does TLS verify identities?

Since we are primarily interested in the identity verification portion of TLS for this blog post, let’s talk about how TLS currently verifies identity.

When setting up a web service that uses TLS, you need to generate a public/private key pair. The terms often used are “key”, rather than private key, and “certificate”, rather than public key. If you previously read the Asymmetric Encryption post, don’t let these terms throw you off! The concept is essentially the same, with some minor additions.

Benjamin Porter

Ben Porter is a Software Engineer/Architect who specializes in distributed applications (like web apps). He is currently Head of Engineering at Ameelio.org